Use authentication code grant instead of password grant.

[ray-lee]

What does this do?

This changes the way that tokens are retrieved from the services layer when logging in. The OAuth authorization code grant is now used, instead of the password grant. In order to support this, the session configuration now accepts the new properties:

• authCode
• codeVerifier
• redirectUri

The username and password properties, used to support the password grant, no longer have any effect.

This library is only responsible for obtaining a token, given an authorization code. Obtaining the authorization code should be done outside of this library.

Why are we doing this? (with JIRA link)

CSpace 8.0 upgrades Spring Security to 5.3, and uses Spring Authorization Server instead of the Spring OAuth2 plugin. These upgrades drop support for the OAuth password grant (which has been removed from the latest versions of OAuth). The recommended approach for web apps is to use the authorization code grant.

How should this be tested? Do these changes have associated tests?

This can be tested together with CSpace 8.0 and cspace-ui 9.0. Log in should continue to work with this combination.

Some unit tests still need to be written. These will be in a separate PR.

Dependencies for merging? Releasing to production?

None.

Has the application documentation been updated for these changes?

n/a

Did someone actually run this code to verify it works?

@ray-lee ran this against a local CSpace 8.0 server.

[codecov]

Codecov Report

Patch coverage is 76.92% of modified lines.

Files Changed	Coverage
src/session.js	62.50%
src/tokenHelpers.js	100.00%

📢 Thoughts on this report? Let us know!.